Earlier today one of our readers (Thanks Alice) noticed that there was a lot more activity related to one of her servers which was running phpMyAdmin. Upon further investigation it appears that her server had been compromised by exploitation of the vulnerability detailed in PMASA-2009-4. The attacker uploaded a lot of the same old types of tools such as a misnamed EnergyMech IRC bot, a perl based UDP flooding tool, and an automated tool to attempt phpMyAdmin.

It is now past time to update to phpMyAdmin 3.1.3.2 and/or updating firewall rules to limit the public Internet from touching this web application.

Updated: Monday 06/22/2009 22:30 UTC

I have heard more reports locally about activity which seems to point to phpMyAdmin scanning and exploitation. I haven't seen a copy of the exploiting tool as of yet. If you happen to get a copy of the tool, or get packet captures of it at work, please feel free to send to us.